The ceph-deploy utility must login to a Ceph node as a user
that has passwordless sudo privileges, because it needs to install
software and configuration files without prompting for passwords.

Recent versions of ceph-deploy support a --username option so you can
specify any user that has password-less sudo (including root, although
this is NOT recommended). To use ceph-deploy--username{username}, the
user you specify must have password-less SSH access to the Ceph node, as
ceph-deploy will not prompt you for a password.

We recommend creating a specific user for ceph-deploy on ALL Ceph nodes
in the cluster. Please do NOT use “ceph” as the user name. A uniform user
name across the cluster may improve ease of use (not required), but you should
avoid obvious user names, because hackers typically use them with brute force
hacks (e.g., root, admin, {productname}). The following procedure,
substituting {username} for the user name you define, describes how to
create a user with passwordless sudo.

Note

Starting with the Infernalis release the “ceph” user name is reserved
for the Ceph daemons. If the “ceph” user already exists on the Ceph nodes,
removing the user must be done before attempting an upgrade.

Since ceph-deploy will not prompt for a password, you must generate
SSH keys on the admin node and distribute the public key to each Ceph
node. ceph-deploy will attempt to generate the SSH keys for initial
monitors.

Generate the SSH keys, but do not use sudo or the
root user. Leave the passphrase empty:

(Recommended) Modify the ~/.ssh/config file of your ceph-deploy
admin node so that ceph-deploy can log in to Ceph nodes as the user you
created without requiring you to specify --username{username} each
time you execute ceph-deploy. This has the added benefit of streamlining
ssh and scp usage. Replace {username} with the user name you
created:

Ceph OSDs peer with each other and report to Ceph Monitors over the network.
If networking is off by default, the Ceph cluster cannot come online
during bootup until you enable networking.

The default configuration on some distributions (e.g., CentOS) has the
networking interface(s) off by default. Ensure that, during boot up, your
network interface(s) turn(s) on so that your Ceph daemons can communicate over
the network. For example, on Red Hat and CentOS, navigate to
/etc/sysconfig/network-scripts and ensure that the ifcfg-{iface} file
has ONBOOT set to yes.

Hostnames should resolve to a network IP address, not to the
loopback IP address (e.g., hostnames should resolve to an IP address other
than 127.0.0.1). If you use your admin node as a Ceph node, you
should also ensure that it resolves to its hostname and IP address
(i.e., not its loopback IP address).

Ceph Monitors communicate using port 6789 by default. Ceph OSDs communicate
in a port range of 6800:7300 by default. See the Network Configuration
Reference for details. Ceph OSDs can use multiple network connections to
communicate with clients, monitors, other OSDs for replication, and other OSDs
for heartbeats.

On some distributions (e.g., RHEL), the default firewall configuration is fairly
strict. You may need to adjust your firewall settings allow inbound requests so
that clients in your network can communicate with daemons on your Ceph nodes.

For firewalld on RHEL 7, add the ceph-mon service for Ceph Monitor
nodes and the ceph service for Ceph OSDs and MDSs to the public zone and
ensure that you make the settings permanent so that they are enabled on reboot.

For example, on monitors:

sudofirewall-cmd--zone=public--add-service=ceph-mon--permanent

and on OSDs and MDSs:

sudofirewall-cmd--zone=public--add-service=ceph--permanent

Once you have finished configuring firewalld with the --permanent flag, you can make the changes live immediately without rebooting:

sudofirewall-cmd--reload

For iptables, add port 6789 for Ceph Monitors and ports 6800:7300
for Ceph OSDs. For example:

On CentOS and RHEL, you may receive an error while trying to execute
ceph-deploy commands. If requiretty is set by default on your Ceph
nodes, disable it by executing sudovisudo and locate the Defaultsrequiretty setting. Change it to Defaults:ceph!requiretty or comment it
out to ensure that ceph-deploy can connect using the user you created with
Create a Ceph Deploy User.

Note

If editing, /etc/sudoers, ensure that you use
sudovisudo rather than a text editor.

On CentOS and RHEL, SELinux is set to Enforcing by default. To streamline your
installation, we recommend setting SELinux to Permissive or disabling it
entirely and ensuring that your installation and cluster are working properly
before hardening your configuration. To set SELinux to Permissive, execute the
following:

sudosetenforce0

To configure SELinux persistently (recommended if SELinux is an issue), modify
the configuration file at /etc/selinux/config.